[QUOTE User="LogParser User : Amanda_H"]Quote: The FROM clause in this query is assuming that the security event log has been saved to a file named m1Security.evt. Your change to just Security is fine. It just means that LP will pull the logs dir...[/QUOTE] I am having a similiar problem with this script...

Thanks for your reply; I really appreciate it. I havent yet tried the code yet because I dont have access to the production server right now. I will do so tomorrow. In the meantime, I can see that the code would provide me with logon failure infomation within the span of %minutes% that I specify, but...

Sorry I sent you over here when your question was not actually answered much by this thread. If you post an example of the data in your old thread, I'll take a stab at cracking out that text for you. I looked through my Security log and I don't have that string.

Take a look at the help for the QUANTIZE function which is what is causing the query you list above to be currently grouped by hour. To be able to quickly specify X minutes, you'll probably want to use Query Parameters. Check: Log Parser | Reference | Command-Line Operation | Query Execution Mode | search...

Hi all, I am trying to write a script that would be able to do the following: Find all logon failures that occured 1 minute apart. Optionally, find all that occured 2 minutes apart, and maybe 3 minutes or hours apart, etc. The goal is to see whether any attacker has a list of usernames and is trying...

Can duplicate the code now. Thanks. However, I'm having troubling adding the 'Source Network Address:' field/contents that is in the description of many security events. I've tried single and double quotes around the phrase without success. Any help?

You mean User<>''? That's actually two single quotes. It is saying where this field isn't equal to an empty string.

Is that single 'double-qoute' correct? I can't duplicate this code.

Thanks a lot!

Oh I figured it out. I changed the FROM field to FROM Security and the changed the GROUP field to GROUP BY ACCOUNT and it worked!